diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2023-03-02 15:27:30 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-03-02 15:27:30 +0100 |
| commit | 89cae9ddf257e156e3973270aacea51dad2c8662 (patch) | |
| tree | df120c1bf5ec4f74bf7ccadae696c3f6bac336e8 /src | |
| parent | 3047e286c082902415554f6cdf761a5502962469 (diff) | |
Add a new flow risk about literal IP addresses used as SNI (#1892)
RFC 6066 3: "Literal IPv4 and IPv6 addresses are not permitted in
"HostName"."
Don't set this risk if we have a valid sub-classification (example:
via certificate)
Since a similar risk already exists for HTTP hostnames, reuse it, with a
more generic name.
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_typedefs.h | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 4 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 24 |
5 files changed, 31 insertions, 9 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index ea7f9e737..c7a39ca12 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -83,7 +83,7 @@ typedef enum { NDPI_TLS_CERTIFICATE_EXPIRED, NDPI_TLS_CERTIFICATE_MISMATCH, /* 10 */ NDPI_HTTP_SUSPICIOUS_USER_AGENT, - NDPI_HTTP_NUMERIC_IP_HOST, + NDPI_NUMERIC_IP_HOST, NDPI_HTTP_SUSPICIOUS_URL, NDPI_HTTP_SUSPICIOUS_HEADER, NDPI_TLS_NOT_CARRYING_HTTPS, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 9340e4c58..6c7ba2e15 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -142,7 +142,7 @@ static ndpi_risk_info ndpi_known_risks[] = { { NDPI_TLS_CERTIFICATE_EXPIRED, NDPI_RISK_HIGH, CLIENT_LOW_RISK_PERCENTAGE, NDPI_SERVER_ACCOUNTABLE }, { NDPI_TLS_CERTIFICATE_MISMATCH, NDPI_RISK_HIGH, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_SERVER_ACCOUNTABLE }, { NDPI_HTTP_SUSPICIOUS_USER_AGENT, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, - { NDPI_HTTP_NUMERIC_IP_HOST, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, + { NDPI_NUMERIC_IP_HOST, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_HTTP_SUSPICIOUS_URL, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_HTTP_SUSPICIOUS_HEADER, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_TLS_NOT_CARRYING_HTTPS, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, @@ -2946,7 +2946,7 @@ static void ndpi_add_domain_risk_exceptions(struct ndpi_detection_module_struct const ndpi_risk risks_to_mask[] = { NDPI_SUSPICIOUS_DGA_DOMAIN, NDPI_BINARY_APPLICATION_TRANSFER, - NDPI_HTTP_NUMERIC_IP_HOST, + NDPI_NUMERIC_IP_HOST, NDPI_MALICIOUS_JA3, NDPI_NO_RISK /* End */ }; diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 53ed95939..79138b8e2 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1928,8 +1928,8 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) { case NDPI_HTTP_SUSPICIOUS_USER_AGENT: return("HTTP Susp User-Agent"); - case NDPI_HTTP_NUMERIC_IP_HOST: - return("HTTP Numeric IP"); + case NDPI_NUMERIC_IP_HOST: + return("HTTP/TLS/QUIC Numeric Hostname/SNI"); case NDPI_HTTP_SUSPICIOUS_URL: return("HTTP Susp URL"); @@ -2053,7 +2053,7 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) { case NDPI_TCP_ISSUES: return("TCP Connection Issues"); - + default: ndpi_snprintf(buf, sizeof(buf), "%d", (int)risk); return(buf); diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index b9cc198c1..e0f56c4e8 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -634,7 +634,7 @@ static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_stru char str[64]; snprintf(str, sizeof(str), "Found host %s", buf); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_NUMERIC_IP_HOST, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST, str); } } @@ -916,7 +916,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ strstr(flow->http.url, "download.windowsupdate.com/")) && ndpi_strnstr((const char *)packet->user_agent_line.ptr, "Microsoft-Delivery-Optimization/", packet->user_agent_line.len) && - ndpi_isset_risk(ndpi_struct, flow, NDPI_HTTP_NUMERIC_IP_HOST)) { + ndpi_isset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST)) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WINDOWS_UPDATE, NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI); } } diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 299e59ecb..6b56529dd 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -347,6 +347,7 @@ static void checkTLSSubprotocol(struct ndpi_detection_module_struct *ndpi_struct ndpi_set_detected_protocol(ndpi_struct, flow, cached_proto, __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI_CACHE); flow->category = ndpi_get_proto_category(ndpi_struct, ret); ndpi_check_subprotocol_risk(ndpi_struct, flow, cached_proto); + ndpi_unset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST); } } } @@ -682,8 +683,10 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi } if(!flow->protos.tls_quic.subprotocol_detected) - if(ndpi_match_hostname_protocol(ndpi_struct, flow, __get_master(ndpi_struct, flow), dNSName, dNSName_len)) + if(ndpi_match_hostname_protocol(ndpi_struct, flow, __get_master(ndpi_struct, flow), dNSName, dNSName_len)) { flow->protos.tls_quic.subprotocol_detected = 1; + ndpi_unset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST); + } i += len; } else { @@ -727,6 +730,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi ndpi_set_detected_protocol(ndpi_struct, flow, proto_id, __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI); flow->category = ndpi_get_proto_category(ndpi_struct, ret); ndpi_check_subprotocol_risk(ndpi_struct, flow, proto_id); + ndpi_unset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST); if(ndpi_struct->tls_cert_cache) { u_int32_t key = make_tls_cert_key(packet, 0 /* from the server */); @@ -1508,6 +1512,19 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct, /* **************************************** */ +static int check_sni_is_numeric_ip(char *sni) { + unsigned char buf[sizeof(struct in6_addr)]; + + if(inet_pton(AF_INET, sni, buf) == 1) + return 1; + if(inet_pton(AF_INET6, sni, buf) == 1) + return 1; + return 0; +} + + +/* **************************************** */ + int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, uint32_t quic_version) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; @@ -2050,6 +2067,11 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, flow->protos.tls_quic.subprotocol_detected = 1; } + if(flow->protos.tls_quic.subprotocol_detected == 0 && + check_sni_is_numeric_ip(sni) == 1) { + ndpi_set_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST, sni); + } + if(ndpi_check_dga_name(ndpi_struct, flow, sni, 1, 0)) { #ifdef DEBUG_TLS |